However, he noted “the number of real humans in the data is going to be somewhat less” because many of the email addresses appear to be automatically generated and some of them aren’t in the proper format for an email address.

The list was found on a spambot server nicknamed Onliner with an IP address in the Netherlands by Benkow, a self-described French “malware hunter” and blogger, Hunt reported.

“Benkow and I have been in touch with a trusted source there who’s communicating with law enforcement in an attempt to get it shut down ASAP,” he added.

Spreads Banking Malware

Benkow said in a blog post that the spambot has been used since 2016 to spread banking malware called Ursnif. It’s designed to steal personal information and information about a user’s computer and send it to the spambot’s owner.

Benkow told ZDNet that Onliner has generated more than 100,000 malware infections around the world.

Hunt has uploaded the list to his website “Have I been pwned?”, which allows users to check if their email addresses have been compromised by looking for them on lists released in known data breaches.

Hunt said his own email address appeared on the Onliner list twice, along with a number of email addresses confirmed to have come from a 2012 LinkedIn breach that resulted in 100 million passwords being stolen. The list also includes all 593 million email addresses and passwords that appeared in a massive list released in 2016 called “Exploit.In.”

Hunt added, “This should give you an appreciation of how our data is redistributed over and over again once it’s out there in the public domain.”